A breach of Quest Diagnostics’ billing collections vendor could have exposed the personal, financial, and medical information of as many as 12 million customers, multiple media outlets are reporting.
In an 8-K filing with the Securities and Exchange Commission, the Secaucus, NJ -based company said that sometime between August 1, 2018 and March 30, 2019, an unauthorized user breached AMCA, its billing collections vendor.
Quest said in its filing that law enforcement has been contact with law enforcement regarding the incident, adding that laboratory test results were not provided to AMCA and were therefore not impacted by the breach.
“Quest Diagnostics takes this matter very seriously and is committed to the privacy and security of patients’ personal, medical and financial information,” the company said in a filing.
AMCA commented about the data breach and gave an update on how it was handling the matter.
"We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system," AMCA said via email. "Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page. We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information."
Cybersecurity is a hot topic in medtech right now and was discussed in May during the BioMed Device Boston Conference in a session titled Cybersecurity in Medical Devices: How Good Is Your Threat Model?
Companies are not immune to these threats no matter how big or small. In September of last year, liquid biopsy specialist, Guardant Health said in an SEC filing that the private information from about 1,100 individuals was exposed due to the cybersecurity attack.
In March, the Department of Homeland Security and FDA alerted people about cybersecurity vulnerabilities affecting Medtronic's implantable defibrillators. The Dublin-based said it was developing updates to further mitigate these vulnerabilities.
In response to the growing number cybersecurity threats to medtech, AdvaMed has adopted a set of five principles aimed at helping medical device companies and healthcare organizations mitigate these issues.
AdvaMed said in short, these include: addressing cybersecurity risk from device conception through disposal; an understanding that medical device cybersecurity is a shared responsibility, implementing coordinated disclosure policies; participating in information sharing programs; and having standards and regulations developed collaboratively among all relevant stakeholders.